---
layout: howTo
---
<!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements. See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership. The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License. You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied. See the License for the
    specific language governing permissions and limitations
    under the License.
-->

<!-- Main -->
<div id="main">

    <!-- Introduction -->
    <section id="intro" class="main special">
        <div class="">
            <div class="content align-left">
                <header class="major">
                    <h1><b>Setting up SPF</b></h1>
                </header>

                <p>
                    You just finished installing a <a href="imap-server.html">James IMAP server</a> and wonder how to
                    gain trust for it?
                </p>

                <p>
                    The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent
                    sender address forgery. It might help you to do this.
                </p>

                <p>
                    More precisely, SPF protects the envelope sender address, which is used for the delivery of messages.
                    It allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they
                    use to send emails from their domain.
                </p>

                <p>
                    To correctly configure SPF for your domain, you need to answer the following questions:
                </p>

                <ul>
                    <li><b>From what server or servers will email from my domain originate?</b> In our case, we only
                        want our James Server to be able to send emails from our domain.</li>
                    <li><b>How do you want illegitimate email to be handled?</b> <code>-all</code> is an SPF fail and
                        usually means dropping such emails, whereas <code>~all</code> is an SPF softfail and traditionally
                        means accepting but marking them.</li>
                </ul>

                <p>
                    Therefore, we add the following DNS records to our DNS zone file:
                </p>

                <pre><code>@ IN TXT “v=spf1 +a:james.test-domain.com -all”
@ IN SPF “v=spf1 +a:james.test-domain.com -all”</code></pre>

                <p>That way other mail servers know only <i>james.test-domain.com</i> can send mails for <i>test-domain.com</i>.</p>


                <header class="major">
                    <h1><b>Verifying SPF for incoming emails</b></h1>
                </header>

                <p>
                    Now we will see how to verify SPF records of incoming emails. For this we can customize mail processing,
                    and specify actions upon SPF record validity. For introducing these components, James relies on the
                    <a href="https://james.apache.org/jspf/">JSPF</a> library.
                </p>

                <p>We just need to edit the <code>mailetcontainer.xml</code> configuration file as follow:</p>

                <p>We are going to create a new processor called <b>SPFProcessor</b>. It will handle emails after
                    the <b>root</b> processor but before the <b>transport</b> processor. Moreover, we do not need to
                    perform a SPF check or take a decision if the sender is authenticated or is a local user, because
                    we already trust him.

                    In all other cases, we add a SPF header using the <b>SPF</b> mailet. Then we need to take a decision
                    about incoming emails. We use the <b>HasMailAttributeWithValue</b> matcher which has seven possible
                    values to handle in the case of SPF: <b>permerror</b>, <b>temperror</b>, <b>none</b>, <b>pass</b>,
                    <b>neutral</b>, <b>fail</b> and <b>softfail</b>. What action you choose for each of these values
                    depends on what you want to do. In our case, we redirect SPF errors and fails to the <b>error</b>
                    processor, whereas all other cases lead directly to the <b>transport</b> processor for further
                    normal processing. We are rather tolerant since we authorize <b>softfails</b>.</p>

                <p>For example:</p>

                <pre><code>[...]

&lt;processors>
&lt;processor state="root" enableJmx="true">
&lt;mailet match="All" class="PostmasterAlias"/>
&lt;mailet match="RelayLimit=30" class="Null"/>
&lt;mailet match="All" class="ToProcessor"&gt;
  &lt;processor&gt;SPFProcessor&lt;/processor>
&lt;/mailet&gt;
&lt;/processor>

&lt;processor state="error" enableJmx="true">
[...]
&lt;/processor>

&lt;processor state="SPFProcessor">
&lt;mailet match="SenderIsLocal" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="SMTPAuthSuccessful" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="All" class="SPF"&gt;
  &lt;addHeader&gt;true&lt;/addHeader&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, permerror" class="ToProcessor"&gt;
  &lt;processor&gt;error&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, temperror" class="ToProcessor"&gt;
  &lt;processor&gt;error&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, none" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, pass" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, neutral" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, fail" class="ToProcessor"&gt;
  &lt;processor&gt;error&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="HasMailAttributeWithValue=org.apache.james.transport.mailets.spf.result, softfail" class="ToProcessor"&gt;
  &lt;processor&gt;transport&lt;/processor&gt;
&lt;/mailet&gt;
&lt;mailet match="All" class="LogMessage"&gt;
  &lt;headers&gt;true&lt;/headers&gt;
  &lt;body&gt;false&lt;/body&gt;
  &lt;comment&gt;Unknown SPF result&lt;/comment&gt;
&lt;/mailet&gt;
&lt;/processor&gt;

[...]</code></pre>
<p>
  Finished configuring SPF ? Go check our guide for  <a href="dkim.html">configuring DKIM Record</a>.
</p>
            </div>
            <footer class="major">
                <ul class="actions align-center">
                    <li><a href="index.html" class="button">go back to other how-adasdasdetos</a></li>
                </ul>
            </footer>
        </div>


</div>

